LastPass exploits and feeling vulnerable

I wanted to talk about the recent LastPass password manager exploits reported by @taviso and the negative perceptions it may create for LastPass as a password manager for its users.

Its likely people who don't live and breathe the world of software and security see exploit reports like these and without context are left feeling their security tools are leaving them vulnerable.

Vulnerability - 'The quality or state of being exposed to the possibility of being attacked or harmed.'

I think it's important to talk to people about security flaws, the responsible discourse process and how the efforts put in by researchers like @taviso are of real value improving the security tools like LastPass.

Password managers like LastPass are now an absolute essential for both home and business users. The DBIR data breach investigations report produced by Verizon's enterprise security team each year shows us that still one of the leading factors in users accounts being breached was poor password management and lack of 2FA being implemented.

These breaches were likely not the result of a highly sophisticated technical attack but attackers taking advantage of what is essentially low hanging security fruit. All of which can be mitigated if users are educated on use of a password manager and 2FA.

But if the password manager they use is being reported as wide open to being exploited and their passwords stolen of what use is it? Well thats the issue, The discussion and reporting surrounding these exploits walks right past some very important considerations and context users needed to make a judgement call on how vulnerable they really are.

So how do we address some of the typical concerns and put things into proper context for our people?

We want to start with the possible misconception having security flaws reported is a huge failing on LastPass's account and we should all be switching to another password manager product to continue being safe.

Its important to explain to users that all software has bugs and security faults and that its unlikely another companies password managers product is free from similar such issues. While companies will conduct their own testing and engage 3rd party security testers to review their products things can still get missed.

Its follows then that we should also aim to spend some time explaining the work security researchers do what a responsible disclosure process looks like. When issues are disclosed to vendors in this manner by researchers users are not being made instantly vulnerable to the exploit but instead the researcher is working with the vendor so they have an opportunity to fix the issues and push a fix to users. This is the case with the exploits been reported to LastPass there is nothing malicious going on that places them at risk.

What will help people determine if they are at risk is knowing how we expect vendors to behave during such a disclosure. Vendors who are transparent about confirming the issue and quickly turning around a fix like LastPass has done should help users gain confidence in the software products and the security maturity of the vendor.

Vendors who are not communicative, take significantly longer than the grace period to turn around fixes or respond with threats of legal action to a responsible disclosure are more likely to have a product or service that isn't being well managed with a mature security program and this is what is more likely to place them and their accounts at risk.

Armed with a bit of education around responsible disclosures and some detail around the response from LastPass I'm confident in telling my users LastPass still provides them the protection they need to be safe at work and at home.

While the LastPass exploits reports are still fresh and in the news its a great time to reach out to your users with a security awareness message on all of the above and provide that context that I feel is often missing when things like this happen.

Additionally in your messaging explain that if passwords ever are compromised the second layer of protection they have in 2FA is what mitigates this if something does go terribly wrong. Help them set it up if they don't have it turned on.

Perhaps also consider showing them the haveibeenpwned service run by @troyhunt so they know if sites with no 2FA protection are breached they can quickly go and generate a new strong password before someone malicious can compromise their accounts.

Our willingness to provide education and support in making these tools work and putting the risks in the right context and perspective when they arise will really help users feel a lot less exposed and vulnerable.